WHMCS - Horrific Cleaning of variables leaves multiple zero-day possibilities

[lulzsecurity]

Before you ask, I've alerted Matt from WHMCS today, I won't post exactly, but the cleaning is horrific. To give you a few sense about this,

Attacker A -> register, orders vps, due to improper cleaning on  whmcs part, we can abuse this.

Attacker A then gets full access to the machine using zero-day.

Improper cleaning of "$whmcs->sanitize_input_vars()". If legit admin user a for example does this:

Register, order vps but has special chars that were not filtered by cleaning, we can then break the cmd and exec()ute more commands.

Now I must get mad at their bad coding..

function {snipped}($arr) {

   global $whmcs;

 {snipped}

}

$whmcs = new WHMCS_Init();

$whmcs = $whmcs->init();

 

All of that is in the same file, no need to global it, as its already created the instance. I wonder where they learned how to program, -,-.

 

Multiple issues with poor coding, however a vulnerability if not patched could lead to multiple zero-days on anything/everything that uses cleaning and relies on it.

 

I will disclose exactly how to do this IF they do not fix it.

 

[thisisnotnetomx]

:c

 

[D. Strout]

Whoever does work like that should not be allowed to program. There will be another explosion soon, or I'm an idiot. (Probably true anyway, but still...)

 

[lulzsecurity]

I will release the vulnerabilities and how to do it if they don't patch it.

 

[jarland]

Curtis, just leave.

 

[lulzsecurity]

But lets prove everything is vulnerable...

from init class which is called for everything...

$_GET = $this->sanitize_input_vars( $_GET );

$_POST = $this->sanitize_input_vars( $_POST );

$_REQUEST = $this->sanitize_input_vars( $_REQUEST );

$_SERVER = $this->sanitize_input_vars( $_SERVER );

$_COOKIE = $this->sanitize_input_vars( $_COOKIE );

 

[drmike]

I'd love to see a proof of concept

 

[lulzsecurity]

I'd love to see a proof of concept

Did you miss the part I won't release how to do it (which requires you need to know the code to trigger it) unless they patch it...?

 

[Nick_A]

I don't understand the point of threatening to put hosts at risk if a software company doesn't fix something you take issue with. Have they personally wronged you in some way or do you just like seeing things burn?

 

[lulzsecurity]

I don't understand the point of threatening to put hosts at risk if a software company doesn't fix something you take issue with. Have they personally wronged you in some way or do you just like seeing things burn?

I'm not threatening, I alerted Matt from WHMCS(feel free to confirm) of these issues. 

Have they personally wronged me? No, not really.

Like seeing things burn? No

 

[Nick_A]

I'm not threatening, I alerted Matt from WHMCS(feel free to confirm) of these issues. 

Have they personally wronged me? No, not really.

Like seeing things burn? No

Then explain the point. All ears.

 

[XFS_Duke]

How about we don't try and bash the guy... Lets listen and try and help instead of being assholes to the person thats trying to get them to fix their mistakes... Just an idea...

 

[lulzsecurity]

The point is just simply they haven't put in proper cleaning, so I feel the need to announce it to providers to be on the lookout for possible hackers if they figure it out.

 

[lulzsecurity]

The point is just simply they haven't put in proper cleaning, so I feel the need to announce it to providers to be on the lookout for possible hackers if they figure it out.

 

[jarland]

How about we don't try and bash the guy... Lets listen and try and help instead of being assholes to the person thats trying to get them to fix their mistakes... Just an idea...

Because he isn't trying to get them to fix it. He probably didn't even contact Matt like he claimed. His number one desire is and has always been attention.

 

[lulzsecurity]

Because he isn't trying to get them to fix it. He probably didn't even contact Matt like he claimed. His number one desire is and has always been attention.

Feel free to open ticket and ask, or:

 

[XFS_Duke]

well jarland, I know for a FACT he spoke to Matt, wanna know how? Well it's simple. I put him in touch with Matt myself and I've spoken to Matt about this... So... Thanks but try again....

 

[drmike]

Did you miss the part I won't release how to do it (which requires you need to know the code to trigger it) unless they patch it...?

 

No, I didn't miss that  I am not interested in a DIY recipe or howto, but for the doubters sake and your own, nothing wrong with finding a willing host and displaying the compromise effects (non maliciously of course).  

I am a skeptic, but open minded.  

 

[jarland]

well jarland, I know for a FACT he spoke to Matt, wanna know how? Well it's simple. I put him in touch with Matt myself and I've spoken to Matt about this... So... Thanks but try again....

You're playing with fire.

 

[lulzsecurity]

I won't share unless they patch.